Roll your own...
-
It's a little like upside down world because during the discussion, he said he thought that I wasn't backing up my arguments with any substance, "just theory."
The difficult we do right away... ...the impossible takes slightly longer.
Assuming the meeting wasn't confrontational, then put together a report that articulates all the reasons why it's a bad idea. If he was a ever an engineer in a previous life and it's was a friendly thing he'll listen. If not, he was never an engineer. Also, it sounds like your dev team is way too small to reinvent the wheel. I'd be surprised if the executives are ok with spinning that kinda money for no gain when there's only 2.5 devs.
Jeremy Falcon
-
I don't follow your clarification.
The difficult we do right away... ...the impossible takes slightly longer.
Like putting a Big Mac in your own wrapper and telling your boss you made it yourself.
-
Assuming the meeting wasn't confrontational, then put together a report that articulates all the reasons why it's a bad idea. If he was a ever an engineer in a previous life and it's was a friendly thing he'll listen. If not, he was never an engineer. Also, it sounds like your dev team is way too small to reinvent the wheel. I'd be surprised if the executives are ok with spinning that kinda money for no gain when there's only 2.5 devs.
Jeremy Falcon
Oh you're so right. Fortunately the higher ups are not going to go all in until we produce a demo program to show what we can do. This puts a serious crimp in our potential output.
The difficult we do right away... ...the impossible takes slightly longer.
-
Thank you! That's what I thought. Other people in the company have said to me that they think he's a bit of a charlatan. He is a big talker to upper management.
The difficult we do right away... ...the impossible takes slightly longer.
When it came to the website that drives my team processes, we just went with Windows Auth. No login page and no user management on our part, and it's about as secure as you can get with minimal effort. HR takes care of the AD accounts and users can request security group membership on their own, and we approve/deny any requests to the groups the site uses. All group memberships are looked at for what you can see/do. If you're not in any groups, you get read-only access to a limited portion of the site. About the only thing we do as far as users is the site allows you to create a user profile where you get to set a bunch of defaults, like landing pages, default view tabs, email notification subscriptions, color theme, font size, and a bunch of other stuff.
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles. Dave Kreskowiak
-
Oh you're so right. Fortunately the higher ups are not going to go all in until we produce a demo program to show what we can do. This puts a serious crimp in our potential output.
The difficult we do right away... ...the impossible takes slightly longer.
Oh man, that's a nasty spot to be in.
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles. Dave Kreskowiak
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
Reinventing the wheel. Maybe a squarish / triangularish kind of wheel.
-
Reinventing the wheel. Maybe a squarish / triangularish kind of wheel.
-
So he wants to use this gem?
SELECT * FROM Users WHERE UserName=@username AND Password=@password
There's a reason why there are so few secure authentication frameworks. Security is very difficult to get right. No offense to you or your team, but the chances your team is going to come up with something that doesn't have more security holes in it than an established framework is close to zero. Your new Director is showing massive inexperience with a single demand. Where did this person come from and are they still in business?
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles. Dave Kreskowiak
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
I remember your post about this in the Web Development forum, titled Identity Management Recommendations[^] I have great interest in this same topic. I'm currently working on an authentication and authorization system for my Chromosphere.com project.
Richard Andrew x64 wrote:
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework.
Your dev team is made up of three people, right? What kind of deadline are you on? A dev team that small, regardless of any team member's skill and experience, will exhaust a huge amount of time and money developing this. In addition, it needs to be maintained and updated as security needs are always changing. Every day, you will need to seek out the most recent exploits and vulnerabilities, fix them, and test them. Does a 3 person dev team have the time and resources to do this? No way!
Richard Andrew x64 wrote:
I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!"
He's right. If you create a hacker's playground, everything will go down. If all computer systems are perpetually down, then there won't be any bugs to exploit. What's the percentage of downtime your systems have? Anything under 99.9% uptime is unacceptable. If your IT director doesn't realize this, he lives under a rock.
Richard Andrew x64 wrote:
I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
You are 100% right. Your IT director is absolutely wrong. I'm not in your shoes, so I can't fully understand who and what you are dealing with here. If the leadership at the top insists on committing such a disastrous mistake, then it's clear that they don't understand this at all. If they won't listen to reason, that's their fault. Working under such leadership is the perfect reason to seek out a new job.
Richard Andrew x64 wrote:
I don't intend to pull the eject cord on this job
That just might be the answer
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
Reminds me of an old song; Roll another one just like the other one...
A home without books is a body without soul. Marcus Tullius Cicero PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com Latest Article: EventAggregator
-
So he wants to use this gem?
SELECT * FROM Users WHERE UserName=@username AND Password=@password
There's a reason why there are so few secure authentication frameworks. Security is very difficult to get right. No offense to you or your team, but the chances your team is going to come up with something that doesn't have more security holes in it than an established framework is close to zero. Your new Director is showing massive inexperience with a single demand. Where did this person come from and are they still in business?
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles. Dave Kreskowiak
Dave Kreskowiak wrote:
So he wants to use this gem?
Dave, now that I've had time to think about your post, I'm wondering what you're saying is wrong with that SQL statement. It looks like it's using parameters, so I'm wondering. Keep in mind that I don't know the first thing about designing an authentication library.
The difficult we do right away... ...the impossible takes slightly longer.
-
If it ain't broke don't fix it!
A home without books is a body without soul. Marcus Tullius Cicero PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com Latest Article: EventAggregator
Mike Hankey wrote: If it ain't broke don't fix it! I usually end up with " If it's fixed, break it, then fix it differently and pat myself on the back for a good job well done! CQ de W5ALT
Walt Fair, Jr.PhD P. E. Comport Computing Specializing in Technical Engineering Software
-
Mike Hankey wrote: If it ain't broke don't fix it! I usually end up with " If it's fixed, break it, then fix it differently and pat myself on the back for a good job well done! CQ de W5ALT
Walt Fair, Jr.PhD P. E. Comport Computing Specializing in Technical Engineering Software
I hear ya!
A home without books is a body without soul. Marcus Tullius Cicero PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com Latest Article: EventAggregator
-
Dave Kreskowiak wrote:
So he wants to use this gem?
Dave, now that I've had time to think about your post, I'm wondering what you're saying is wrong with that SQL statement. It looks like it's using parameters, so I'm wondering. Keep in mind that I don't know the first thing about designing an authentication library.
The difficult we do right away... ...the impossible takes slightly longer.
Typically, this is something that would be used by someone storing passwords in plain text.
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles. Dave Kreskowiak
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
-
So he wants to use this gem?
SELECT * FROM Users WHERE UserName=@username AND Password=@password
There's a reason why there are so few secure authentication frameworks. Security is very difficult to get right. No offense to you or your team, but the chances your team is going to come up with something that doesn't have more security holes in it than an established framework is close to zero. Your new Director is showing massive inexperience with a single demand. Where did this person come from and are they still in business?
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles. Dave Kreskowiak
He'd probably reject that because he read the headline of an article on LinkedOut that said that parameters are evil and should be avoided at all costs! :laugh:
string query = "SELECT * FROM Users WHERE UserName = '" + TextBox11.Text + "' AND Password = '" + TextBox42.Text + "'";
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
If it ain't broke don't fix it!
A home without books is a body without soul. Marcus Tullius Cicero PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com Latest Article: EventAggregator
If it ain't broke, fix it 'til it is.
-
Dave Kreskowiak wrote:
So he wants to use this gem? SQL SELECT * FROM Users WHERE UserName=@username AND Password=@password
That's the most disturbing thing I have yet to encounter today. **shudders**
I think var selectStatement = $"select * from Users where Username='{userName}' and Password='{passWord}' Is perhaps more shudder inducing. Edit: aha, I see Richard beat me to that particular bit of nastiness.
-
If it ain't broke, fix it 'til it is.
Last few days seems like it, I've struggled with most everything I've attempted to do.
A home without books is a body without soul. Marcus Tullius Cicero PartsBin an Electronics Part Organizer - Release Version 1.4.0 (Many new features) JaxCoder.com Latest Article: EventAggregator
-
So, to be brief, our new IT Director thinks he'd rather have us roll our own user authentication functionality, than use the components already present in the ASP.NET Core framework. I recommended strongly against this, but he waved his hand and said, "There won't be any security holes!" I don't intend to pull the eject cord on this job, so I want to ask the public, am I right, or is the IT Director right?
The difficult we do right away... ...the impossible takes slightly longer.
You are definitely right, your IT director has no idea what he is talking about. I would be interested though in how secure (or what you are securing), this could reflect the level of security required. Your best bet is to explain how vulnerable not having good security will potentially make your data. Point out (as others have mentioned) how expensive it will be to implement your own security framework. Also, be aware that when this goes t**ts up, the person they're going to point the finger at is you, NOT the IT Director as you are the implementor, so be aware. It is work noting that correct implementation of security in existing frameworks is NOT theory and someone with the title of IT Director should know this. Now you could take a couple of directions: 1. Tell them if this is really what is required, then please accept my resignation. 2. Ask the IT Director how he proposes to implement such a security system. Explain how you would value his experience in creating/maintaining such systems in the past. If/when he says it's not his place to write code but yours, then explain that what he is suggesting is also theoretical and that you will be using a framework to implement the security safely as he has expressed (and clarified) it's you that writes the code, not him. That might help.
